you didn't answer the _why do we need all that for a drum beat making website_?

jdiez17 · 2025-03-23T23:51:46 1742773906

Unauthenticated http is a vector for opportunistic malware. They don’t target specific websites, just inject evil.js wherever.

otabdeveloper4 · 2025-03-24T07:28:42 1742801322

You ISP sniffing and MiTMing traffic on the wire is the least likely vector of malware injection.

ISP's are usually serious businesses with reputations and don't hack their own customers.

latexr · 2025-03-24T09:59:15 1742810355

That “usually” is doing a ton of work. I remember Vodafone injecting scripts into webpages many years ago. While trying to find a source, I bumped into other shenanigans.

https://www.simpleanalytics.com/blog/vodafone-deutsche-telek...

otabdeveloper4 · 2025-03-24T14:47:20 1742827640

Out of all the bad actors on the Internet, your ISP is the least bad.

latexr · 2025-03-24T23:53:47 1742860427

That’s not a valid defence, it’s moving the goalposts and whataboutism. ISPs shouldn’t be bad actors at all and they have the ability to do the most harm.

kube-system · 2025-03-24T16:57:53 1742835473

Maybe if they live in a high income country with relatively strong consumer protections and are using their home ISP. But quite a lot of the internet is very much not that.

In some places and on some networks, MiTMing http traffic for undesirable use-cases is routine.

nklymok · 2025-03-24T07:11:24 1742800284

At least so that login / register data don't go to the middle man.

otabdeveloper4 · 2025-03-24T07:27:21 1742801241

You don't. But you will be penalized by Big Co for not supporting https.

(It's effectively a "doing business on the Internet" tax. Thankfully not that expensive for small hobby projects now.)

nerdponx · 2025-03-24T14:33:35 1742826815

It's literally $0 with LetsEncrypt.